Windows 10 Enterprise & Credential Manager

Updated 4/26/2016: Turns out this is not specific to Windows Enterprise or Professional, but actually related to Azure AD Join and Windows Hello. If your machine is joined to Azure AD during the OOBE installation step and you sign in with a Hello method (face, fingerprint, PIN) then Credential Manager is busted. But if you bypass Hello (cover your face!) and use a password then Credential Manager is "unlocked" and works exactly as expected. From what I can tell this has to do with how Microsoft Passport containers work and because Windows Hello will only unlock a single container. If your machine is joined to Azure AD the Enterprise Container is what Hello authentication unlocks, but Credential Manager only functions when the default (non-Enterprise) container is unlocked.

Credential Manager has been a part of Windows for a long time now and I've noticed it seems to have stopped behaving as expected in builds of Windows 10 Enterprise Edition. To be more specific, defining a saved Windows credential in Credential Manager and then adding the same address to the Local Intranet Zone of Internet Explorer used to result in a SSO experience for the user. The machine would pass the saved credentials automatically without the user seeing any kind of authentication prompt.

This was a very handy trick for machines which weren't joined to a domain and needed to authenticate to various sites or applications without requiring the user to type their password over and over throughout the day. You could save a Windows credential for *.confusedamused.com and add that same wildcard definition to the Local Intranet Zone to cut down on practicing your password-typing skills.

What I've noticed is that while the Professional Edition continues to work like prior versions of Windows the Enterprise Edition will always present the authentication prompt, even with the exact same configuration.

If you try to track down potential differences you'll quickly run across Credential Guard, a feature unique to Enterprise Edition which Microsoft describes as this:

Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.

Sounds great. This feature doesn't run by default, but after a couple of steps via GPO I was able to enable Credential Guard and validate it was running on my Surface Pro 4. But after removing and adding the saved credentials to Credential Manager I was in the same spot with being constantly prompted.

Reading a little further down the Technet page about Credential Guard you'll also find this innocuous-sounding statement:

Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:

  • Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.

The emphasis there is mine, but I think that last statement is key. I've been unable to find any documentation which clearly states this means Windows credentials saved in Credential Manager won't work, but I think they fall into the derived domain credentials category.

What doesn't add up is that this feature is supposed to be unique to Credential Guard, but it seems to prevent Credential Manager from working with Windows credentials even when not enabled.

I suppose you could make the argument that only corporate-owned devices would run Enterprise Edition and that any corporate-owned device shouldn't be storing saved credentials, but I'd still prefer to see this as a configurable setting even if the default behavior is to block the usage.